At 4:50 PM +0000 4/6/12, Xiangyang zhang wrote:
Stephen,
You understand this method very well. The disadvantage is the
possible severity of out of order delivery. Even with single SA, it
can also cause the out of order problem. As for re-order, just like
TCP reorder or IP reassembly, it can be done at intermediate node or
end host.
The TCP and IP specs do not envision an intermediary trying to put
packets back in order or performing reassembly. When middle bioxes do
this performance often suffers.
If it is done at SGW, RFC 6471 may help to mitigate the issue.
In your previous mail, this is potentially very complex feature. As
a matter of fact, it is simpler comparing with SA bundle in
implementation. For SA bundle with two SAs, it must go through the
processing two times. For SA cluster, packet just needs to be
processed one time. Here I do not intend to deny the out of order
claim.
note that 4301 removed the requirement to support SA bundles, so the
comparison seems out of place.
This is another option comparing with SA or SA cluster. The product
developers can choose what method they need, or it can be
configurable. I submitted the draft to see if it exhibits some
benefit. It does not intend to be necessarily absolute better or
replace the existing method.
as I noted in prior messages, this seems awfully complex and has the
potential to degrade performance, so a very string secruity argument
needs to be made to
justify considering this proposal. I have not seen that argument.
Steve
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
